DPO Newsletter: Global Data Protection & Privacy News (issue #157)

DPO Newsletter: Global Data Protection & Privacy News

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

πŸ‡ͺπŸ‡Ί European Union – EDPB Updates One-Stop-Shop Case Digest on Erasure and Right to Object
The EDPB published an updated case digest on the rights to erasure and objection under the GDPR, drawing on cross-border decisions handled through the one-stop-shop mechanism. The digest shows how supervisory authorities apply Articles 17 and 21 in practice, including common shortcomings in handling data subject requests.

πŸ‡©πŸ‡° Denmark – Danish DPA Launches EU-Wide Audit of Employer Transparency
Denmark’s Datatilsynet opened a supervisory review of 30 private companies, checking whether employers meet GDPR transparency obligations toward employees and job applicants. The exercise is part of a broader EDPB-coordinated sweep across the EU and EEA, and findings will feed into a joint European report. A good prompt to review your HR privacy notices.

πŸ‡ͺπŸ‡Έ πŸ‡§πŸ‡ͺ Spain–Belgium – First Joint European Guide on Data Protection in Video Games
Spain’s AEPD and Belgium’s data protection authority jointly published the first European guide on GDPR compliance for the video game sector. It covers AI-driven profiling, in-game purchases, children’s data, and cloud analytics, with practical checklists for developers and publishers at every stage of a game’s lifecycle.

2) Notable Case Law

πŸ‡ΊπŸ‡Έ United States – US Supreme Court Ruling Puts Pressure on EU–US Data Transfers
The US Supreme Court ruled in Trump v. Slaughter that the President can remove FTC Commissioners at will, weakening the independence the EU–US Data Privacy Framework partly relies on. The DPF remains valid for now, but several European DPAs advise reviewing Transfer Impact Assessments and preparing exit plans, and noyb has announced a challenge before the CJEU. Read the Czech analysis.

πŸ‡ͺπŸ‡Ί European Union – CJEU Allows Unlawfully Obtained Data as Evidence in Some Cases
The CJEU ruled that national courts may, in certain circumstances, admit personal data as evidence even where it was collected unlawfully, provided the privacy impact is weighed against the importance of the evidence. The case arose from a German employment dispute and is directly relevant to HR and legal teams handling employee investigations.

πŸ‡¬πŸ‡§ United Kingdom – ICO Fines Debt Services Firm Β£300,000 Over 5.5 Million Unlawful Texts
The ICO fined Manchester-based KRA Consultancy Ltd Β£300,000 for sending more than 5.5 million marketing texts to financially vulnerable people without valid consent. The case confirms that buying data from third parties does not mean inheriting their consent, and ranks among the ICO’s largest PECR fines to date.

3) New and Upcoming Legislation

πŸ‡ͺπŸ‡Ί European Union – Digital Omnibus on AI Adopted, but 2 August Transparency Rules Still Apply
The Council of the EU gave final approval to the Digital Omnibus on AI, deferring high-risk compliance obligations to December 2027. The deferral does not affect the AI Act’s Article 50 transparency rules, which apply from 2 August 2026: chatbots must disclose that users are talking to AI, and AI-generated content must be labelled.

πŸ‡ΊπŸ‡Έ United States – Connecticut’s Updated Privacy Law Took Effect on 1 July
Connecticut’s amended Data Privacy Act came into force, expanding sensitive data categories to include neural data, disability and medical information, and detailed financial account data. Profiling impact assessment obligations follow on 1 August. Organizations serving Connecticut residents should update data inventories, notices, and consent flows.

πŸ‡¦πŸ‡Ί Australia – Privacy Act Obligations Extended to Professional Services from 1 July
Australia’s AML/CTF reform brings more than 100,000 previously exempt small businesses in legal, accounting, and real estate under Privacy Act requirements when handling personal data in that framework. Global organizations with Australian entities in these sectors should check that privacy policies, breach procedures, and data subject rights processes are in place.

4) Strong Impact Tech

πŸ‡ͺπŸ‡Ί European Union – Google Loses Final Appeal Over €4.1 Billion Android Fine
The CJEU definitively upheld the European Commission’s €4.1 billion antitrust fine against Google for using Android to lock in its search engine. The ruling ends a case the Commission opened in 2015 and decided in 2018, and is the largest antitrust fine in EU history to be fully confirmed by the courts.

πŸ‡ͺπŸ‡Ί πŸ‡ΊπŸ‡Έ EU–US – Commission Moves to Designate AWS and Azure as DMA Gatekeepers
The European Commission reached the preliminary view that Amazon Web Services and Microsoft Azure should be designated as gatekeepers under the Digital Markets Act, bringing obligations on data portability, interoperability, and self-preferencing. Both companies can respond before a final decision, according to a Reuters report.

Other key information from the past weeks

πŸ‡―πŸ‡΅ Japan – KDDI Breach Exposes Up to 14.2 Million Email Accounts
KDDI disclosed that attackers exploited a third-party software vulnerability to access an email system shared across six Japanese ISPs, potentially exposing credentials for up to 14.22 million accounts. The incident underlines that vendor software risk is now a primary breach vector and belongs on every DPO’s due diligence list.

πŸ‘ Enjoyed this issue? Share it on LinkedIn and subscribe for weekly updates

About us

iubenda

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

Follow us on: